need help - force EAP-TTLS to validate the server certificate
Klaus Laus
superklausx at gmx.de
Tue Sep 21 08:35:57 CEST 2010
I tried to login from another client, but it´s the same problem.
TLS Alert write:fatal:handshake failure
TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
SSL: SSL_read failed in a system call (-1), TLS session fails.
sorry that I ask again but I want to be sure that I didn´t understand anything wrong.
Is it not generally possible to configure the freeradius server so that only clients with username/password and client certificate can login successfully?
For expample only users who choose PEAP with the right username and password and having a client certificate can login successfully.
Or is the problem with the error in reading client certificate a problem in the clients?
Thanks a lot!
-------- Original-Nachricht --------
> Datum: Fri, 17 Sep 2010 11:26:56 -0400
> Von: John Dennis <jdennis at redhat.com>
> An: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> CC: Klaus Laus <superklausx at gmx.de>
> Betreff: Re: need help - force EAP-TTLS to validate the server certificate
> On 09/17/2010 11:00 AM, Klaus Laus wrote:
> >
> > thanks a lot for your answer.
> >> Either move the "files" module before "eap", or use unlang to set it:
> >>
> >> authorize {
> >> ...
> >> update control {
> >> EAP-TLS-Require-Client-Cert = yes
> >> }
> >> eap
> >> ...
> >> }
> > I did the changes in the authorize section, and freeradius seems to
> require the client certificate. But the server is not accept my certificate. I
> don't think that the certificate is bad because I can login any client with
> the same certificate when I use TLS instead of PEAP.
> > This is my way to login with PEAP on a windows xp client maybe I do
> anything wrong? :
> > I import the pksc12 certificate from the freeradius server in the
> windows xp certificate management. When I type certmgr.msc under "run" I can see
> that the certificate is successfully imported. Then I scan for the wireless
> networks and connect to wifix, I use PEAP with MSCHAP v.2 and type in
> testuser as user with the correct password.
> > Here you can see the debug output (freeradius did not find my
> certificate):
>
> That's right, the server didn't get your cert, it's right in the debug.
> As Alan said this isn't a server issue, it's a client issue, figure out
> why your client is not returning a cert.
>
> > TLS Alert write:fatal:handshake failure
> > TLS_accept:error in SSLv3 read client certificate B
> > rlm_eap: SSL error error:140890C7:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
> > SSL: SSL_read failed in a system call (-1), TLS session fails.
> --
> John Dennis <jdennis at redhat.com>
>
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
--
GMX DSL SOMMER-SPECIAL: Surf & Phone Flat 16.000 für nur 19,99 Euro/mtl.!*
http://portal.gmx.net/de/go/dsl
More information about the Freeradius-Users
mailing list